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Motivated by the response pattern for property specifications and applications within flexible work- 
flow management systems, we report upon an initial study of modal and mixed transition systems 
in which the must transitions are interpreted as must eventually, and in which implementations can 
contain may behaviors that are resolved at run-time. We propose Transition Systems with Responses 
(TSRs) as a suitable model for this study. We prove that TSRs correspond to a restricted class of 
mixed transition systems, which we refer to as the action-deterministic mixed transition systems. We 
show that TSRs allow for a natural definition of deadlocked and accepting states. We then transfer 
the standard definition of refinement for mixed transition systems to TSRs and prove that refinement 
does not preserve deadlock freedom. This leads to the proposal of safe refinements, which are those 
that preserve deadlock freedom. We exemplify the use of TSRs and (safe) refinements on a small 
medication workflow. 

1 Introduction 

Modal transition systems (MTS) were introduced originally in the seminal work of Larsen and Thorn- 
sen [7] (see also [2]) as a basic transition system model supporting stepwise specification and refinement 
of parallel processes. Intuitively, an MTS can be considered a labeled transition system (LTS) in which 
a subset of the transitions are identified as being required (must), while the others are merely allowed 
(may). In an MTS every required transition is also allowed, to avoid inconsistencies. An MTS describes 
simultaneously an over-approximation and an under-approximation of a process in an intertwined man- 
ner. In a stepwise refinement scenario this approximation interval is narrowed down to a single process, 
an LTS. 

Subsequent work has lifted the assumption that required transitions need also be allowed, leading to 
the model of mixed transition systems [3]. This means that mixed transition systems allow states to have 
requirements that are impossible to fulfill, which we will refer to as conflicting requirements. 

However, the general notion of a must transition that is not also a may transition appears quite 
intricate; it calls for interpreting for each action the specifications at the targets of the must transitions 
with that action, which must all be satisfied in conjunction with some choice of may transition with 
that action. This is reflected in the complexity of basic implementability being EXPTIME complete for 
Mixed transition systems, and trivial for MTSs [1]. 

MTS design focuses on underspecification of behaviour that is resolved at implementation time. So 
for each implementation of a MTS, allowed behaviour has to be refined to some desirable subset, in 
agreement with the must behaviour. While this is the main carrying feature of MTSs, it does side- 
step the dual problem of under- specifying behaviour at runtime, such that allowed (may) behaviours are 
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disambiguated during execution of a process, and required (must) behaviours are performed at runtime 
to ensure progress (liveness). 

In the present paper, we propose taking a step back to consider a model for specification of may and 
must behavior both at run-time (as acceptance crieteria on execution traces) and at implementation time 
(as refinements). When considering an MTS as a model for underspecified behavior to be resolved at 
run-time leads to a natural notion of accepting and deadlocked states. An accepting state is a state from 
which no must transitions are specified, and thus it is permitted to end the execution. A deadlocked state 
is a state from which no may transitions are specified but at least one must transition is specified. 

Motivated by the response pattern for property specifications [4] and previous work on declarative 
workflow modelling languages [5, 6], we propose to interpret must transitions as a requirement that an 
action within a certain scope must eventually be executed. The scope is the extend of the execution 
in which a must transition with that activity is defined. This leads to a new, relaxed interpretation of 
states of mixed transition systems having must transitions that are not allowed in the same state as a may 
transition: Such states are only expressing a conflict, i.e. unacceptable, behavior at run-time if the scope 
of the must transition includes the rest of the execution, and the activity required by the must transition is 
not executed. In other words, a run will be considered unacceptable if an activity is continuously required 
as a must transition but never executed. For finite trace semantics, which we will focus on in the present 
paper, this condition is implied by the final state being an accepting state as defined above. For infinite 
trace semantics, which we will study in future work as indicated in Sec. 4, this condition corresponds to 
the future modality of linear-time temporal logic, and allows &>-regular languages to be expressed in a 
natural way. 

While it thus makes sense to consider must behavior that is not also (immediately) allowed as may 
behavior, we do not want to unleash the full generality of mixed transition systems. Instead we propose 
to replace the must transitions by a set of response actions assigned to each state, referred to as the 
response set. The intuitive meaning is that if an action belongs to the response set of a state s, then the 
action is required before termination, unless a state is reached in which the action no longer belongs to 
the response set. We name the resulting model Transition Systems with Responses (TSR). 

We show that TSRs correspond to a restricted class of mixed transition systems that we refer to 
as action-deterministic mixed transition systems, and transfer the standard definition of refinement for 
mixed (and modal) transition systems. However, a simple example shows that the standard definition 
of refinement does not preserve deadlock freedom. Consequently, we instead propose studying safe 
refinements, which are those refinements that reflect deadlocked states (i.e., preserve deadlock freedom). 

As an example, consider the TSR given in Fig. 1(a) with initial state sO. It describes a medication 
workflow in which a doctor prescribes medicine, possible several times, and then either cancels or signs 
the prescription. A prescription has as the required response that a nurse gives the medicine. This will 
end the workflow and cannot happen if the doctor has not signed after the latest prescription. However, 
the nurse may instead indicate that the prescription is not trusted. In that case, the doctor is requested as 
response to prescribe new medicine, but may instead just sign the old prescription (indicating that it was 
indeed right) or cancel the prescription. 

The TSR in Fig. 1(b) shows a refinement of the TSR in Fig. 1(a). The refinement restricts the 
workflow such that only one prescription can be made at a time, by removing some of the prescription 
transitions that are not required. Also, the doctor is now required to sign after making a prescription, i.e., 
as a response. This is enforced by adding sign to the response set of state si, corresponding to making the 
sign transition from state si a must transition. Moreover, the doctor can now only cancel if a prescription 
is indicated as not trusted. This refinement is safe, since it does not introduce any deadlocked states. 
Moreover, as will be more clear below when we give the formal definitions, the TSR in Fig. 1(b) has 
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Figure 1: Medication workflow as TSR and refinements. 

no unsafe refinements. The TSR in Fig. 1(c) un the other hand shows an unsafe refinement of the TSR 
in Fig. 1(a) since it introduces a deadlocked state. The state si is deadlocked since give is required but 
no transition is possible. Finally, Fig. 2 shows a mixed transition system corresponding to the TSR in 
Fig. 1(a). As usual, the solid transitions are must transitions and dashed transitions are may transitions. 
Note that for all must transitions we have a corresponding may transition, except for the must transition 
from state si to state s5. This transition captures that it in state si is required (eventually) to give the 
medicine, unless another transition causes the must transition to dissapear, as for instance the don't trust 
transition from s2 to s3. 

The rest of the paper is structured as follows. In Sec. 2 we briefly recall the definition of mixed and 
modal transition systems and refinement for such, and define the restricted classes of action-deterministic 
modal and mixed transition systems. In Sec. 3 we then give the formal definition of transition systems 
with responses, and safe and unsafe refinement for such, prove the correspondence to action-deterministic 
modal and mixed transition systems and relate refinement to language inclusion. In Sec. 4 we conclude 
and provide pointers to future work. 

2 Action-deterministic Modal and Mixed Transition Systems 

In this section we briefly recall the definition of modal and mixed transition systems, define the sub- 
classes of action-deterministic modal and mixed transition systems and recall the standard definition of 
refinement for modal and mixed transition systems. 

Definition 1 (Mixed and Modal Transition Systems). A Mixed Transition System (MixTS) is a tuple 
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Figure 2: Medication workflow as Mixed TS. 

T — (S,so, Act,— where S is a set of states, so <E S is the initial state, Act is a set of actions, and 
~~ ^0 — ^ x Act x ^ are respectively must and may transition relations. T is also a Modal Transition 
System (MTS) if additionally — C — Finally, let s A denote that either s A^ a 7 or 5 An 

We will in this paper focus on so-called action-deterministic mixed and modal transition systems that 
we will show directly correspond to the proposed model of transition systems with responses. 

Definition 2 (Action-deterministic MixTS and MTS). A (mixed, modal) transition system T (S, so, Act, — 
,—»<>) ^ action-deterministic if 

1. s A s f A s A implies s f — s". 

2. s An y A 5 7^ implies Ma G Act.s' ^> and A- s*' implies s — s" Aa = b. 

The first condition is the usual determinacy condition, stating that for any state, the target state for a 
transition with a specific action is unique. However, note that since we do not distinguish between may 
and must transitions, it also implies that if there is a may and must transition with the same label from a 
transition they lead to the same state. The second condition restricts the occurrence of must transitions 
that have no corresponding may transition, and is thus trivially satisfied for modal transition systems. 
The condition states that such a "must but may not" transition must lead to a state from which no further 
transitions are possible, and that it is the unique transition leading to that state. Intuitively, the restriction 
means that such a must transition contains no other information than the fact that the action is required. 
This allows us in the next section to replace must transitions with sets of actions assigned to each state 
in the definition of transition systems with responses. 

Below we recall the definition of refinement for mixed and modal TS. 
Definition 3 (Refinement for MixTS and MTS). A binary relation £% C Si x S2 between the state sets of 
two mixed transition systems Tj — (Sj,ij, Act,— >►□/,— >^-} /or j E {1,2} is a refinement if 

1. i\Mii and 

2. s\&S2 implies 

(a) \/s\ Ani s[ implies 3s2 Am s' 2 , and s\£%s 2 , 

(b) \/s2 A^2 s' 2 implies ~^0i s \ an d s[&s 2 

Since identities are refinements and refinements compose as relations to refinements we get cate- 
gories MTS and MixTS, having respectively modal and mixed transition systems as objects and refine- 
ments as arrows, and the two sub categories DMTS and DMixTS induced by action-deterministic modal 
and mixed transition systems respectively. 
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3 Transition Systems with Responses and Refinement 

As described in the introduction, the definition of transition system with responses replaces the must 
transition relation with a set of response actions for each state. 

Definition 4. A Transition System with Responses (TSR) is a tuple T = (S,so, Act, □,—>>) where S, so, 
Act are like above and — S x Act x S is an action-deterministic transition relation and □ : S —> ^(Act) 
defines for each state the response actions. Let <()(s) —def {a | 3s' .s A s'}, i.e., the actions on transitions 
that may be taken from s. We then say that a TSR is modal if Ms E S.D(s) C Q(s). 

As stated by the proposition below, the class of TSRs are in bijective correspondence (up to graph 
isomorphism) with action-deterministic mixed transition systems. As usual we let Co refer to the class 
of objects of a category C. 

Proposition 1 (Representation of TSRs as DMixTSs). There are maps MR : DMixTSo -> TSRo and 

RM : TSR -> DMixTSo such that for any DMixTS M, RM{MR(M) ) is isomorphic to M and for any 
TSR T, MR(RM(T)) = T. 

Proof, (outline) An action-deterministic mixed transition system M = (S,so 5 Act,— >*□,— has as cor- 
responding TSR MR(M) = (5,50, Act, □,-») where D(s) =d e f {a \ 3s f E S.s An s f } and -»=->^. Con- 
versely, a TSR T = (5, 5o ? Act, □,—>>) has as corresponding action-deterministic MixTS RM(T) = (SU 

{s\j a | s E SAD(s)\(}(s) ^0},s o , Act,— ^n,— ^), where -►□= {(s,a,s f ) \ a E B(s) A^A^V^ As' = 
s\j a )} and — s where we assume Ma E Act.V^ E S.sua S> d 

The key idea of the representation of action-deterministic mixed transition systems as TSRs, exem- 
plified by Fig. 1(a) and Fig. 2, is that we forget about the destination state of must transitions and simply 
record the presence of a must transition with action a from a state s by an action a in the response set of 
s. The action determinacy conditions ensure that we can recover the original mixed transition system (up 
to graph isomorphism). For the map in the other direction, note that in the case where an action in the 
response set has no corresponding may transition we introduce a new state s\j a as destination of the must 
transition. This explains the state s5 in Fig. 2 which arises as the state sln g j ve . 

It is easy to see that the correspondence in the proposition above restricts to a correspondence be- 
tween modal TSR and action-deterministic modal TS. 

Proposition 2 (Representation of Modal TSRs as DMTSs). The maps MR : DMixTSo ^ TSR and 
RM : TSR DMixTSo restricts to maps MR : DMTS MTSR and RM : MTSR -> DMTS . 

As mentioned in the introduction, we interpret actions in the response sets as actions that during an 
execution must eventually be executed or be excluded from the response set. If we only consider finite 
trace semantics, this interpretation makes it natural to define accepting states for TSR as states with an 
empty response set, allowing us to use the standard definition of the language for a finite automaton to 
define the language for a TSR. 

Definition 5 (Language of a TSR). We refer to a finite sequence of transitions s$ s\ ... s n 
starting at the initial state as a run and define that it is accepting, ifD(s n ) — 0. We let L{T), referred to 
as the language ofT, denote the set of all action sequences labelling accepting runs. 

As an example, the regular language of the medication workflow in Fig. 1(b) is given by the expres- 
sion expression £ + prescribe. sign(don't trust. prescribe. sign)*(don't trust. cancel + give). 

In addition to accepting states, we may naturally define deadlocked states as states with a non-empty 
response set but no out-going transitions. 
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Definition 6 (Deadlocked state). A deadlocked state in a TSR T = (S,so 5 Act, □,—)►) is a state with a 
non-empty must set, and no out- going transitions, i.e., a state in which some actions are required but no 
further transitions are possible. Formally we define a predicate deadlock on S by deadlock (s) = D(s) ^ 
A <0>(s) = 0. A TSR is deadlock free if it has no reachable deadlock state. 

As already mentioned in the introduction, the state si is deadlocked in the TSR in Fig. 1(c) since it 
has the non-empty response set {give} but no out-going transitions. It follows trivially from the definition 
that a modal TSR can not have any deadlock states. 

Lemma 1. Every modal TSR is deadlock free. 

Proof. For any state s of a modal TSR it holds by definition that D(s) C (}(s), so it can not be the case 



We now define refinement for TSR in Def . 7 below, guided by the representation of TSRs as DMixTS 
given in Prop. 1. Condition 2a ensures that states in the refined system require at least the same responses 
as the states they refine. Condition 2b ensures that transitions with actions required as responses are pre- 
served by the refinement, which by condition 2a also will be required as responses. Finally, condition 2c 
ensures that the refined system do not introduce transitions that can not be matched in the system being 
refined. We then define safe refinements as refinements satisfying the extra condition that deadlock states 
must be reflected. 

Definition 7 (Refinement). A binary relation & C S\ x S2 between the state sets of two transition systems 
with responses 7) — (Sj,ij, Act,dj,— ^)/<?r j G {1,2} is a refinement if 

1. i\Mi2 and 

2. s\Ms2 implies 



The refinement M is safe if it satisfies the additional condition that s\Ms2 implies deadlock(s2) =>- 
deadlock{s\), i.e. it reflects deadlock states. 

Looking at the example TSRs in Fig. 1, which we will refer to as T a , Tb, and T c , it is easy to verify 
that the identity relation on states is a refinement from T a to Tb and from T a to T c . Also, it is easy to see 
that here is no refinement between Tb and T c : Any refinement must relate the initial states and thus also 
states si to each other because of condition 2c. Now, Tb cannot refine T c since it has a transition from 
si which is not matched in T c as required by condition 2c. Conversely, T c cannot refine Tb since it does 
not match the sign transition from si, which is required by condition 2b since it is in the response set 
of si in Tb. Also, the response set of si in Tb is not included in the response set of si in T c as required 
by condition 2a. Finally, the refinement from T a to T c is not safe since state si is deadlocked in T c as 
mentioned above, and this is not the case in T a since the sign transition is possible. 

Since identities are refinements and refinements compose as relations to refinements we get a cate- 
gory TSR with TSRs as objects and refinements as arrows. As shown in the following proposition, a 
refinement between two DMixTS s is also a refinement of the corresponding TSRs and vice versa, thus 
the maps given in Prop. 1 extends to a functor. 

Proposition 3. The map MR : DMixTSo TSR extends to a functor from DMixTS to TSR. 



that U{s) ^0AOOO = 



□ 
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Figure 3: Example of TSRs with empty languages but not refining each other. 

Proof. It follows from the definition that for two DMixTS M t = (S^OjActjDj,-^) for i e {1,2}, if 
g% C S\ x 52 is a refinement then it is also a refinement between the corresponding TSRs MR(Mi). □ 

Conversely, a refinement between two TSRs can be mapped to the corresponding DMixTS, extending 
the map RM to a functor. 

Proposition 4. The map RM : TSRo DMixTSo extends to a functor from TSR to DMixTS. 

Proof Given two TSRs 7} = (5;, 5^0, Act, □/,—>►/) for i G {1,2}, if ^ C 5i x 52 is a refinement then 
M 1 CS[ x 5^ is a refinement for the corresponding DMixTS RM(Ti) = (5-,^ , Act, D,-,-^), where ^ = 
^U{(^,^ D J |^}. □ 

It follows that the definition of refinement for TSRs correspond to refinement between the corre- 
sponding DMixTS. 

Theorem 1. The category TSR is equivalent to the category DMixTS. 

The theorem above shows that TSRs and refinement are indeed equivalent to action-deterministic 
mixed transition systems with refinement. However, it is easy to give an example of a refinement which 
is not safe, as illustrated by the TSR in Fig. 1(c). This suggests that we should really work in the sub 
category of TSR with safe refinements. 

Below we prove that refinement for TSRs implies language inclusion. 

Proposition 5. Given two TSRs T[ — (5;,s; ; o, Act, □;,—»*;) for i E {1,2}. If there exists a refinement 
St C 5i x 5 2 then L(T 2 ) C L(7i). 

Proof Assume & C S\ x 52 is a refinement of two TSRs 7} = (Si^o, Act,Dj,— for / E {1,2} and 
CJ2 = ^2,0 ^2,1 ~^ • • • s 2,n is an accepting run of T 2 . Then by condition 2c of Def. 7 there exists 
a run a = si 5 o ^> ^1,1 • • ■ of T2 such that s\j3%S2j. By condition 2a and D(^2^) = it then 

follows that \-\(s\ A ) = 0, so the run <j\ is accepting and has the same sequence of actions as 02. □ 

The converse, that language inclusion implies refinement, is not true. As a counter example, consider 
the two TSRs in Fig. 3 with a single transition each from the initial state to the initial state, but with two 
different actions, and such that the action is a member of the response set. Both TSRs have empty 
language (and no deadlocks) but is not related by refinement in any direction. One may however argue, 
that this counter-example is an artefact of restricting attention to finite trace semantics. Indeed, the 
infinite sequence of a actions should be acceptable in the left system and the infinite sequence of b 
actions should be acceptable in the right system since it fulfils the response constraint. We leave for 
future work to investigate TSRs and refinement for infinite trace semantics, and if language inclusion in 
this case does indeed imply refinement for TSRs. 
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4 Conclusion and Future Work 

We have introduced Transition Systems with Responses (TSRs) as a conservative generalisation of 
action-deterministic Modal Transition Systems, which allows for static (implementation time) refine- 
ments as well as dynamic (runtime) resolution of underspecified behaviour. We have proven that the 
TSR model corresponds to a restricted class of mixed transition systems, which we refer to as the action- 
deterministic mixed transition systems. This class of mixed transition systems is much simpler than 
general mixed transition systems, and yet allows for a natural definition of deadlocks. We have formu- 
lated the standard refinement for mixed TS in terms of TSRs and proposed studying safe refinements, 
which are refinements that reflect deadlocked states, i.e., those which preserve deadlock freedom. 

We leave as future work the study of how to lift the restriction to action-deterministic MTS, and how 
to treat infinite computations and liveness for TSR and refinements for such. 
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